yara string #1

Hexadecimal strings

wildcard

rule WildcardExample
{
	strings:
		$hex_string = { E2 34 ?? C8 A? FB }

	condition:
    	$hex_string
 }
      

4~6 바이트 범위 내 

rule JumpExaple
	{
    	string:
        	$hex_string = { F4 23 [4-6] 62 B4 }

		condition:
        	$hex_string
     }
            

 

rule AlternativesExaple1
{
	strings:
    	$hex_string = { F4 23 ( 62 B4 | 56 ) 45 }

	condition:
    	$hex_string
 }

==> F4 23 62 B4 45
==> F4 23 56 45

 

Counting strings

문자열 횟수 설정으로 카운팅

rule CountExample
{
	strings:
    	$a = "dummy1"
        $b = "dummy2"

	condition:
    	#a == 6 and #b > 10
 }
 

 

String offsets or virtual address

rule AtExaple
{
	strings:
    	$a = "dummy1"
		$b = "dummy2"
    codition:
    	$a at 100 and $b at 200
 }

오프셋 범위 내 문자열 탐지

rule InExample
{
	strings:
    	$a = "dummy1"
        $b = "dummy2"

	condition:
    	$a in (0..100) and $b in (100..filesize)
 }

 

File size

rule FileSizeExample
{
	condition:
    	filesize > 200KB
 }

 

실행 파일 또는 ELF 파일일 경우 entrypoint 변수를 사용할 수 있다.

rule EntryPointExaple1
{
	strings:
    	$a = { E8 00 00 00 00 }
        
    condition:
    	$a at entrypoint
}

rule EntryPointExaple2
{
	strings:
    	$a = { 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 }
        
    condition:
    	$a in (entrypoint..entrypoint + 10)
}

 

 

Sets of strings

rule OfExample1
{
	strings:
    	$a = "dummy1"
        $b = "dummy2"
        $c = "dummy3"

	condition:
    	2 of ($a,$b,$c)
}

rule OfExample2
{
	strings:
		$foo1 = "foo1"
        $foo2 = "foo2"
        $foo3 = "foo3"
        
    condition:
    	 2 of ($foo*)     // == 2 of ($foo1,$foo2,$foo3)
 }
 
rule OfExaple3
{
	strings:
    	$foo1 = "foo1"
        $foo2 = "foo2"
        
        $bar1 = "bar1"
        $bar2 = "bar2"

	condition:
    	3 of ($foo*, $bar1, $bar2)
}
        
        

 

 

reference : https://yara.readthedocs.io/en/v3.4.0/writingrules.html

Writing YARA rules — yara 3.4.0 documentation